title: DN_0001_4688_windows_process_creation description: > Windows process creation log, not including command line loggingpolicy: - LP_0001_windows_audit_process_creation references: - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md category: OS Logs platform: Windows type: Windows Log channel: Security provider: Microsoft-Windows-Security-Auditing fields: - EventID - Hostname # redundant - SubjectUserSid - SubjectUserName - SubjectDomainName - SubjectLogonId - NewProcessId - NewProcessName - TokenElevationType - ProcessId - ProcessPid - TargetUserSid - TargetUserName - TargetDomainName - TargetLogonId - ParentProcessName - MandatoryLabel - ProcessName # redundant - Image # redundant sample: | - - 4688 2 0 13312 0 0x8020000000000000 2814 Security WIN-GG82ULGC9GO.contoso.local - S-1-5-18 WIN-GG82ULGC9GO$ CONTOSO 0x3e7 0x2bc C:\\Windows\\System32\\rundll32.exe %%1938 0xe74 S-1-5-21-1377283216-344919071-3415362939-1104 dadmin CONTOSO 0x4a5af0 C:\\Windows\\explorer.exe S-1-16-8192